21st Century Cures Act:

Interoperability, Information Blocking,

and the ONC Health IT Certification
Program Final Rule

Presented by
Elisabeth Myers, Deputy Director, Office of Policy
2

Please Note:

• The materials contained in this presentation are based on the provisions contained
in 45 C.F.R. Parts 170 and 171. While every effort has been made to ensure the
accuracy of this restatement of those provisions, this presentation is not a legal
document. The official program requirements are contained in the relevant laws and
regulations. Please note that other Federal, state and local laws may also apply.

• This communication is produced and disseminated at U.S. taxpayer expense.

3

Updates to the
2015 Edition
Certification Criteria
4

Updates to the 2015 Edition Certification Criteria

Time-Limited and Removed Criteria
• Drug formulary/Drug List Checks • Common Clinical Data Set summary record – create
• Patient-Specific Education & receive criteria (replaced with USCDI)
• Secure Messaging • API (replaced with Standardized API criterion)
• Problem List, Medication List, Med Allergy List • Data Export (replaced with EHI export criterion)
• Smoking Status

Revised Criteria
• Interoperability criteria (C-CDA, VDT, etc.) • Security tags send & receive criteria
• Updated with USCDI • Electronic Prescribing (aligned with CMS)
• Updated with C-CDA Companion Guide • CQM – report criterion (aligned with CMS)
• ASTM criteria

New Criteria
• Electronic Health Information (EHI) export • Privacy and Security Attestation Criteria
• Standardized API for patient and population services
5

Revised: United States Core Data for

Interoperability Standard
The United States Core Data for Interoperability (USCDI) standard will
replace the Common Clinical Data Set (CCDS) definition 24 months after
publication of this final rule.

USCDI includes the following new required data

classes and data elements: Pediatric Address, Email &
Provenance Clinical
Notes Vital Signs Phone Number

Health IT developers need to update their certified health IT to support the

USCDI for all certification criteria affected by this change within 24 months after
the publication of the final rule.

USCDI Standard Annual Update Schedule

ONC will establish and follow a predictable, transparent, and collaborative process
to expand the USCDI, including providing stakeholders with the opportunity to
comment on the USCDI’s expansion.
6

New: Electronic Health Information (EHI)

Export Criterion

Adopted a focused definition of General Requirements

EHI to ePHI to the extent that it A certified Health IT Module must include export
would be included in a capabilities for:
a) a single patient EHI export to support patient
designated record set. access and
b) patient population EHI export to support
transitions between health IT systems

For certification, Developers are The export file(s) created must:

required to ensure health IT a) be electronic and in a computable format, and

b) the publicly accessible hyperlink of the export’s
products are capable of format must be included with the exported file(s).
exporting the EHI that can be
stored by the product at the time Note: Health IT developers have the flexibility to
determine their products' standard format for the
of certification. purpose of representing the exported EHI
7

New: Application Programming Interface (API)

Criterion
• Established a new application programming interface (API) certification criterion that requires health
IT developers to support standardized APIs for single patient and population services.
• Certification criterion is limited to API-enabled “read” services using the HL7® Fast Healthcare
Interoperability Resources (FHIR) Release 4 standard.
• The use of the FHIR standard and a set of implementation specifications provides known technical
requirements against which third-party apps can be developed.

Supports two types of API-enabled services:

» Services for which a single patient’s data is the focus

» Services for which multiple patients’ data are the focus

8

Conditions and
Maintenance of
Certification
Requirements
9

Conditions and Maintenance

of Certification Requirements

Seven (7) Conditions of Certification with

Maintenance of Certification Requirements
• Information Blocking
The 21st Century Cures Act
requires HHS to establish • Assurances
Conditions and Maintenance • Communications
of Certification requirements
for the ONC Health IT • Application Programming Interfaces (APIs)

Certification Program. • Real World Testing

• Attestations

• EHR Reporting Criteria Submission (at future time)

10

Information Blocking
11

What Makes an Individual or Entity an

Information Blocker?
Elements of information blocking
q Actor regulated by the information blocking provision
q Involves electronic health information (EHI)
q Practice is likely to interfere with, prevent, or
materially discourage access, exchange, or use of
EHI
q Requisite knowledge by the actor
q Not required by law
q Not covered by an exception
12

“Actors” Regulated in the Final Rule

Health Care Health IT Health Information

Providers Developers of Networks (HIN)/
Certified Health IT Health Information
Exchanges (HIE)
13

Health Care Providers

Who are they?

• hospital • emergency medical services • provider operated by, or under

• skilled nursing facility provider contract with, the Indian Health
• federally qualified health center Service or by an Indian tribe,
• nursing facility tribal organization, or urban Indian
• home health entity or other • group practice organization
long term care facility • pharmacist • “covered entity” under certain
• health care clinic • pharmacy statutory provisions
• community mental health center • laboratory • therapist
• renal dialysis facility • physician • any other category of health care
• blood center • practitioner facility, entity, practitioner, or
clinician determined appropriate by
• ambulatory surgical • rural health clinic the Secretary
• ambulatory surgical center
14

Health IT Developers of Certified Health IT

Who are they?

An individual or entity, other than a health care provider that self-

develops health IT for its own use, that develops or offers health
information technology and which has, at the time it engages in a
practice that is the subject of an information blocking claim,
one or more Health IT Modules certified under a program for
the voluntary certification of health information technology that is
kept or recognized by the National Coordinator.
15

Health Information Networks & Exchanges

Who are they?

An individual or entity that determines, controls, or has the discretion to administer any
requirement, policy, or agreement that permits, enables, or requires the use of any
technology or services for access, exchange, or use of EHI:

1. Among more than two unaffiliated individuals or entities (other than the individual
or entity to which this definition might apply) that are enable to exchange with each
other; and

2. That is for a treatment, payment, or health care operations purpose, as such terms
are defined in 45 CFR 164.501 regardless of whether such individuals or entities are
subject to the requirements of 45 CFR parts 160 and 164.
16

What Makes an Individual or Entity an

Information Blocker?
Elements of information blocking
üActor regulated by the information blocking provision
q Involves electronic health information (EHI)
q Practice is likely to interfere with, prevent, or
materially discourage access, exchange, or use of
EHI
q Requisite knowledge by the actor
q Not required by law
q Not covered by an exception
17

Definition of Electronic Health Information (EHI)

• EHI means electronic protected health information (ePHI) to the extent

that the ePHI is included in a designated record set as these terms are
defined for HIPAA.
• This is applicable whether the actor is a covered entity or not.
18

What Makes an Individual or Entity an

Information Blocker?
Elements of information blocking
üActor regulated by the information blocking provision
ü Involves electronic health information (EHI)
q Practice is likely to interfere with, prevent, or
materially discourage access, exchange, or use of
EHI
q Requisite knowledge by the actor
q Not required by law
q Not covered by an exception
19

“Interfere with” or “Interference” - What is it?

Interfere with or interference means to prevent, materially discourage, or otherwise inhibit.

• Publication of “FHIR service base URLs” (sometimes also referred to as “FHIR

endpoints”) - A FHIR service base URL cannot be withheld by an actor as it (just like many other
technical interfaces) is necessary to enable the access, exchange, and use of EHI.
• Delays - An actor’s practice of slowing or delaying access, exchange, or use of EHI could constitute
an interference and implicate the information blocking provision.

• Costs for Electronic Access by Patients/Individuals - An actor’s practice of charging an

individual, their personal representative, or another person or entity designated by the individual for
electronic access to the individual’s EHI would be inherently suspect under an information blocking
review.
20

“Interfere with” or “Interference” - What is it not?

Interfere with or interference means to prevent, materially discourage, or otherwise inhibit.

• Business Associate Agreements (BAAs) – Actors are not required to violate BAAs or
associated service level agreements. However, a BAA or its associated service level
agreements must not be used in a discriminatory manner by an actor to forbid or limit
disclosures that otherwise would be permitted by the Privacy Rule.
• Educate Patients about Privacy and Security Risks of Apps and 3rd Parties – Actors
may provide patients with information that:
• Focuses on any current privacy and/or security risks posed by the technology or the third-party
developer of the technology;
• Is factually accurate, unbiased, objective, and not unfair or deceptive; and
• Is provided in a non-discriminatory manner.
21

What Makes an Individual or Entity an

Information Blocker?
Elements of information blocking
ü Actor regulated by the information blocking provision
ü Involves electronic health information (EHI)
ü Practice is likely to interfere with, prevent, or materially
discourage access, exchange, or use of EHI
q Requisite knowledge by the actor
q Not required by law
q Not covered by an exception
22

Knowledge Standard

Health IT Developers of Certified

Health Care Providers
Health IT and HINs/HIEs

“…knows that such practice is “…knows, or should know, that

unreasonable and is likely to such practice is likely to interfere
interfere with, prevent, or materially with, prevent, or materially
discourage the access, exchange or discourage the access, exchange or
use of electronic health use of electronic health
information….” information….”
23

What Makes an Individual or Entity an

Information Blocker?
Elements of information blocking
ü Actor regulated by the information blocking provision
ü Involves electronic health information (EHI)
ü Practice is likely to interfere with, prevent, or materially
discourage access, exchange, or use of EHI
ü Requisite knowledge by the actor
q Not required by law
q Not covered by an exception
24

Required by Law
What does it mean?
• Refers specifically to interferences with access, exchange, or
use of EHI that are explicitly required by state or federal law.
• Distinguishes between interferences that are “required by law”
and those engaged in pursuant to a privacy law, but which are
not “required by law.”

Federal and state law includes:

• Statutes, regulations, court orders, and binding
administrative decisions or settlements, such as (at the
Federal level) those from the FTC or the Equal Employment
Opportunity Commission (EEOC)
• Tribal laws, as applicable
25

What Makes an Individual or Entity an

Information Blocker?
Elements of information blocking
ü Actor regulated by the information blocking provision
ü Involves electronic health information (EHI)
ü Practice is likely to interfere with, prevent, or materially
discourage access, exchange, or use of EHI
ü Requisite knowledge by the actor
ü Not required by law
q Not covered by an exception
26

Information Blocking Exceptions

Exceptions that involve not Exceptions that involve

fulfilling requests to access, procedures for fulfilling requests
exchange, or use EHI to access, exchange, or use EHI

1. Preventing Harm Exception 6. Content and Manner Exception

2. Privacy Exception 7. Fees Exception

3. Security Exception 8. Licensing Exception

4. Infeasibility Exception

5. Health IT Performance Exception

27

Content and Manner Exception

Th
e
im
Overview ag
Objective e
pa
It will not be information blocking for an actor to limit the rt
wit
content of its response to a request to access, exchange, or This exception provides clarity and
h
rel
use EHI or the manner in which it fulfills a request, provided flexibility to actors concerning the
ati
on
certain conditions are met. required content of an actor’s sh
ip
response to a request to access, ID
rId
exchange, or use EHI and the 4
w
manner in which the actor may fulfill
as
no
To satisfy this exception, the request. It supports innovation
t
fo
an actor must meet both of these conditions: un
and competition by allowing actors to
d
in
first attempt to reach and maintain
th
Content condition e
market negotiated terms for the fil
+ access, exchange, and use of EHI.
e.

Manner condition
28

Content and Manner Exception

Content Condition
1. Up to 24 months after the publication date of the final rule, an actor
must respond to a request to access, exchange, or use EHI with, at a
minimum, the EHI identified by the data elements represented in the
USCDI standard.
2. On and after 24 months after the publication date of the final rule, an
actor must respond to a request to access, exchange, or use EHI with
EHI as defined in § 171.102.
29

Content and Manner Exception

Manner Condition – Any Manner Requested

• An actor must fulfill a request in any manner requested unless the actor is:
1. Technically unable to fulfill the request in a manner requested; or
2. Cannot reach agreeable terms with the requestor to fulfill the request.
• If an actor fulfills a request in any manner requested, the actor is not required
to comply with the Fees or Licensing Exception.
30

Content and Manner Exception

Manner Condition – Alternative Manner

• If an actor responds in an alternative manner, the actor must fulfill the request without
unnecessary delay in the following order of priority, only proceeding to the next consecutive
paragraph if technically unable to fulfill the request in that manner:
1. Using technology certified to standard(s) adopted in Part 170 that is specified by the
requestor.
2. Using content and transport standards specified by the requestor and published by:
• Federal Government; or
• Standards developing organization accredited by the American National Standards
Institute.
3. Using an alternative machine-readable format, including the means to interpret the EHI,
agreed upon with the requestor.
31

What Makes an Individual or Entity an

Information Blocker?
Elements of information blocking
ü Actor regulated by the information blocking provision
ü Involves electronic health information (EHI)
ü Practice is likely to interfere with, prevent, or materially
discourage access, exchange, or use of EHI
ü Requisite knowledge by the actor
ü Not required by law
ü Not covered by an exception
32

Consequences of Being an Information Blocker

• Cures Act prescribes penalties for information blocking
• Health IT developers of certified health IT, health
information networks, and health information exchanges →
Civil monetary penalties (CMPs) up to $1 million per
violation
• Health care providers → Appropriate disincentives

• Certification ban (§ 170.581) for health IT

developers in violation of the Conditions of Certification
• Information blocking Condition of Certification (§ 170.401)
• Public listing of certification bans and terminations
33

Please visit
www.healthit.gov/curesrule
• View the Final Rule

• Fact Sheets

• Upcoming Webinar Schedule

• Previously recorded webinars

• Additional resources
34
www.HealthIT.gov
 Phone: 202-690-7151

Contact ONC Health IT Feedback Form:

https://www.healthit.gov/form/
healthit-feedback-form

Add additional call to action or relevant speaker Twitter: @onc_healthIT

information and contact details.
LinkedIn: Search “Office of the National
Coordinator for Health Information Technology”

Subscribe to our weekly eblast

at healthit.gov for the latest updates!